<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Sorry I don't have time to go through entire thread here today :(
but what I can tell now is this solution is working, in our
testing one of the nodes configuration is:<br>
{<br>
"Dhcp4": {<br>
"option-data": [],<br>
"hooks-libraries": [<br>
{<br>
"library":
"/usr/local/lib/kea/hooks/libdhcp_lease_cmds.so"<br>
},<br>
{<br>
"library":
"/usr/local/lib/kea/hooks/libdhcp_ha.so",<br>
"parameters": {<br>
"high-availability": [<br>
{<br>
"peers": [<br>
{<br>
"auto-failover": true,<br>
"name": "server1",<br>
"role": "primary",<br>
"url":
<a class="moz-txt-link-rfc2396E" href="https://172.28.0.31:8003/">"https://172.28.0.31:8003/"</a><br>
},<br>
{<br>
"auto-failover": true,<br>
"name": "server2",<br>
"role": "standby",<br>
"url":
<a class="moz-txt-link-rfc2396E" href="https://172.28.0.32:8003/">"https://172.28.0.32:8003/"</a><br>
}<br>
],<br>
"state-machine": {<br>
"states": []<br>
},<br>
"mode": "hot-standby",<br>
"heartbeat-delay": 2000,<br>
"max-ack-delay": 1000,<br>
"max-response-delay": 4000,<br>
"max-unacked-clients": 4,<br>
"this-server-name": "server1",<br>
"trust-anchor":
"/usr/local/var/lib/kea/ca_cert.pem",<br>
"cert-file":
"/usr/local/var/lib/kea/server_cert.pem",<br>
"key-file":
"/usr/local/var/lib/kea/server_key.pem",<br>
"require-client-certs": false,<br>
"multi-threading": {<br>
"enable-multi-threading": true,<br>
"http-dedicated-listener": true,<br>
"http-listener-threads": 0,<br>
"http-client-threads": 0<br>
}<br>
}<br>
]<br>
}<br>
}<br>
],<br>
"shared-networks": [],<br>
"subnet4": [<br>
{<br>
"subnet": "192.168.50.0/24",<br>
"pools": [<br>
{<br>
"pool": "192.168.50.1-192.168.50.200"<br>
}<br>
],<br>
"interface": "enp0s9"<br>
}<br>
],<br>
"interfaces-config": {<br>
"interfaces": [<br>
"enp0s9"<br>
]<br>
},<br>
"renew-timer": 1000,<br>
"rebind-timer": 2000,<br>
"valid-lifetime": 4000,<br>
"loggers": [<br>
{<br>
"name": "kea-dhcp4",<br>
"output_options": [<br>
{<br>
"output": "/usr/local/var/log/kea.log"<br>
}<br>
],<br>
"severity": "DEBUG",<br>
"debuglevel": 99<br>
}<br>
],<br>
"lease-database": {<br>
"type": "memfile"<br>
}<br>
}<br>
}</p>
<p><br>
</p>
<p>hope that will help you in your investigation</p>
<p>Wlodek<br>
</p>
<div class="moz-cite-prefix">On 28/06/2023 13:44, Kraishak Mahtha
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CADDat85cZFHuOJidoLn5CDfpjH-mR4+LVV2xZ-mHfe3R14BxOg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi Darren,
<div><br>
</div>
<div>I am deploying at my lab currently but, when we get
more familiar we will proceed with production. I tried yes
even with 2.3.8 and I am facing an issue, I thought it could
be because of my certificates, and when I am reading more on
this I saw a note in the reference document that </div>
<div>"<span
style="background-color:rgb(252,252,252);color:rgb(64,64,64);font-family:Lato,proxima-nova,"Helvetica
Neue",Arial,sans-serif;font-size:16px">A sample set of
certificates and associated objects is available at </span>src/lib/asiolink/testutils/ca".</div>
<div>I have downloaded the source from GIT and from the folder
kea-master\kea-master\src\lib\asiolink\testutils\ca I used the
following certificates as follows </div>
<div> "trust-anchor": "/root/kea-server.crt"<br>
</div>
"cert-file": "/root/kea-server.csr"<br>
"key-file": "/root/kea-server.key"
<div><br>
</div>
<div>But with this, I am getting the following error<br>
11:33:40.411 DEBUG [kea-dhcp4.hooks/13148.140464316582080]
HOOKS_STD_CALLOUT_REGISTERED hooks library
/opt/tcpwave/lib/kea/hooks/libdhcp_ha.so registered standard
callout for hook leases4_committed at address 0x7fc05b249e70<br>
2023-06-28 11:33:40.413 ERROR
[kea-dhcp4.ha-hooks/13148.140464316582080]
HA_CONFIGURATION_FAILED failed to configure High Availability
hooks library: bad TLS config for server dhcp1: load of cert
file '/root/kea-server.csr' failed: no start line</div>
<div><br>
</div>
<div><br>
<div>Thanks</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Jun 28, 2023 at
3:47 PM Darren Ankney <<a
href="mailto:darren.ankney@gmail.com" moz-do-not-send="true"
class="moz-txt-link-freetext">darren.ankney@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi
Kraishak,<br>
<br>
When are you deploying? You may want to test with 2.3.8 as
the<br>
release of the next stable (2.4.0) is coming soon. As for
certificate<br>
use, I am not an expert in that area, but I believe that the
.pem<br>
format is most common and correct.<br>
<br>
Thank you,<br>
<br>
Darren Ankney<br>
<br>
On Wed, Jun 28, 2023 at 12:48 AM Kraishak Mahtha <<a
href="mailto:kraishak.edu@gmail.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">kraishak.edu@gmail.com</a>>
wrote:<br>
><br>
> Hi Darren,<br>
> Thank you for the suggestion. I forget to mention, I am
using the kea 2.2.0 version the last stable one (Yes as its
the latest version compared to 2.17 ) we don't need
kea-control agents and I am using HA+MT I don't have
dependency on kea-control agent on any of the peer-servers<br>
><br>
> I have one more doubt about the certificate type to be
used. In the kea 2.2.0 document, The document says "Objects
in files must be in the PEM format" under section 23.1.2
TLS/HTTPS Configuration.<br>
> And also I checked the examples config in reference
documents, and most of them show with .pem files for all three
attributes<br>
> "trust-anchor": /usr/lib/kea/CA.pem,<br>
> "cert-file": /usr/lib/kea/server1_cert.pem,<br>
> "key-file": /usr/lib/kea/server1_key.pem<br>
><br>
> 1)So my doubt is do all three certificates should be in
.pem format?<br>
><br>
> Asking this because while I am reading about the
certificate content, at one of the places it says "The sample
set of the certificates are available at
src/lib/asiolink/testutils/ca kea source folder and when I see
there I don't see .pem files<br>
> I just want to test with that sample certificates to rule
out whether the issue is either with the environment setup or
with my certificates.<br>
><br>
> Thanks<br>
><br>
> On Wed, Jun 28, 2023 at 2:10 AM Darren Ankney <<a
href="mailto:darren.ankney@gmail.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">darren.ankney@gmail.com</a>>
wrote:<br>
>><br>
>> Hi Kraishak,<br>
>><br>
>> In the latest 2.3.8 ARM, the full quote is:<br>
>><br>
>> "Before Kea 2.1.7 using HTTPS in the HA setup
required use of the<br>
>> Control Agent on all peers."<br>
>><br>
>> followed by:<br>
>><br>
>> "Since Kea 2.1.7 the HTTPS server side is supported:"<br>
>><br>
>> see <a
href="https://kea.readthedocs.io/en/kea-2.3.8/arm/hooks.html#https-support"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://kea.readthedocs.io/en/kea-2.3.8/arm/hooks.html#https-support</a><br>
>> for full details.<br>
>><br>
>> On Tue, Jun 27, 2023 at 12:26 PM Kraishak Mahtha <<a
href="mailto:kraishak.edu@gmail.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">kraishak.edu@gmail.com</a>>
wrote:<br>
>> ><br>
>> > Hi, I am using the kea-failover peer with Muti
threading enabled HA+MT so hence I am not using the control
-agent and using it directly, and everything is working fine
as expected.<br>
>> > Here now I am trying to use TLS with
certificates configured but it does not seems to work as
expected, When I was reading more on the certificates section
I see a line saying "using HTTPS in the HA setup required use
of the Control Agent on all peers", so just to rule out my
issue with certificates, do we need to use/configure Control
agent on all peer for TLS even after enabling multi-threading?<br>
>> ><br>
>> > Thanks in Advance<br>
>> > Kraishak<br>
>> ><br>
>> > --<br>
>> > ISC funds the development of this software with
paid support subscriptions. Contact us at <a
href="https://www.isc.org/contact/" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://www.isc.org/contact/</a>
for more information.<br>
>> ><br>
>> > To unsubscribe visit <a
href="https://lists.isc.org/mailman/listinfo/kea-users"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/kea-users</a>.<br>
>> ><br>
>> > Kea-users mailing list<br>
>> > <a href="mailto:Kea-users@lists.isc.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Kea-users@lists.isc.org</a><br>
>> > <a
href="https://lists.isc.org/mailman/listinfo/kea-users"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/kea-users</a><br>
>> --<br>
>> ISC funds the development of this software with paid
support subscriptions. Contact us at <a
href="https://www.isc.org/contact/" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://www.isc.org/contact/</a>
for more information.<br>
>><br>
>> To unsubscribe visit <a
href="https://lists.isc.org/mailman/listinfo/kea-users"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/kea-users</a>.<br>
>><br>
>> Kea-users mailing list<br>
>> <a href="mailto:Kea-users@lists.isc.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Kea-users@lists.isc.org</a><br>
>> <a
href="https://lists.isc.org/mailman/listinfo/kea-users"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/kea-users</a><br>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
</body>
</html>